Information Security Policy
Last updated: July 9, 2026
1. Purpose and Scope
This Information Security Policy describes the administrative, technical, and physical safeguards TetherLines LLC ("we," "our," or "us") uses to protect the confidentiality, integrity, and availability of customer data processed by the TetherLines platform at tetherlines.com (the "Service").
This policy applies to all systems, personnel, and third-party providers involved in operating the Service, and covers all customer data — including account information, client contact records, and transaction and business performance data.
2. Infrastructure and Hosting
TetherLines is a cloud-native application. We do not operate physical servers; all infrastructure runs on established cloud providers with independently audited security programs (SOC 2 Type II):
- Vercel — application hosting, deployment, and edge network
- Supabase — managed PostgreSQL database and authentication, hosted on Amazon Web Services (United States)
- Resend — transactional email delivery
Physical security of data centers is managed by these providers under their respective certifications. Production and development environments are fully separated, with distinct databases, credentials, and configuration.
3. Data Encryption
- In transit — All traffic between your browser and the Service, and between the Service and its database, is encrypted using HTTPS/TLS. Unencrypted connections are not accepted.
- At rest — Customer data is encrypted at rest by our database provider using industry-standard encryption (AES-256).
- Credentials — Passwords are hashed using an adaptive one-way algorithm and are never stored or logged in plain text.
- Secrets — API keys, database credentials, and other secrets are stored in environment configuration managed by our hosting providers, never in source code.
4. Access Control and Authentication
Customer Access
Every request to the Service is authenticated. User identity is managed through our authentication provider (Supabase Auth) using secure session tokens. Within an organization, access is role-based: account owners and admins can view team-wide data, while individual agents can view only their own data.
Internal Access
Access to production systems and customer data is restricted to authorized TetherLines personnel on a least-privilege, need-to-know basis. Administrative access to hosting and database providers is protected by strong authentication.
5. Multi-Tenant Data Isolation
TetherLines is a multi-tenant platform, and tenant isolation is enforced at multiple layers:
- Every database table containing customer data is protected by PostgreSQL Row Level Security (RLS) policies, so data is only accessible within the organization that owns it
- All application queries are scoped to the authenticated user's organization
- API routes independently verify authentication and organization membership before returning data
Authorization decisions are made from server-controlled records only — never from client-supplied values.
6. Application Security
- All user input is validated on the server using schema-based validation before processing
- Database access goes through a typed ORM with parameterized queries, protecting against SQL injection
- Rate limiting is applied to API endpoints to prevent abuse and brute-force attempts
- New account access is gated by an approval process during our beta period
- We do not store payment card data; if payment processing is enabled, card details are handled entirely by our payment processor (Stripe) and never touch our systems
7. Secure Development Practices
- All code changes are version-controlled and reviewed before reaching production
- Changes are tested in a development environment that is fully separated from production data
- Dependencies are monitored and updated to address known vulnerabilities
- Security-relevant issues are tracked to resolution and regression-tested
8. Backup and Availability
Production database backups are performed automatically by our database provider on a recurring schedule. Application deployments are immutable and independently versioned, allowing rapid rollback if a release causes issues. Platform availability is monitored, and a health endpoint is used to verify the Service after every deployment.
9. Incident Response
In the event of a security incident affecting customer data, we will:
- Investigate and contain the incident promptly upon discovery
- Assess the scope of data and customers affected
- Notify affected customers without undue delay, and in any case within 72 hours of confirming a breach involving their personal data
- Remediate the root cause and document lessons learned
Incident notifications are sent to the email address associated with the affected account.
10. Vulnerability Reporting
If you believe you have found a security vulnerability in TetherLines, please report it to support@tetherlines.com with enough detail for us to reproduce the issue. We ask that you do not access data belonging to other users, and that you give us a reasonable opportunity to remediate before any public disclosure. We will acknowledge reports promptly and keep you informed as we investigate.
11. Data Retention and Deletion
Customer data is retained for as long as the account is active or as needed to provide the Service. Upon account deletion request, personal data is deleted within 30 days, except where retention is required for legal or compliance purposes. Details are described in our Privacy Policy.
12. Third-Party Providers
We use a small, deliberate set of third-party providers to operate the Service (listed in Section 2). Each processes data on our behalf under terms that require them to protect it, and each maintains its own independently audited security program. We review the security posture of any new provider before adopting it.
13. Changes to This Policy
We review this policy periodically and update it as our practices and the Service evolve. When we make material changes, we will update the "Last updated" date at the top of this page.
14. Contact
Questions about this policy or our security practices can be directed to support@tetherlines.com.